This is only the second expulsion of a member in the 30 year history of the Chaos Computer Club - the previous one was, apparently some neo-nazi who had been abusing their infrastructure.

There is no mention of this bickering on either the official https://ccc.de or https://openleaks.org web pages, the participants have, instead decided to give interviews to the media, without bothering to inform their supporters directly (a couple of thousand of whom were gathered at the campsite).

(click for a larger screenshot image of https://leaks.taz.de in a new window)

From 12th to 14th of August 2011 this public platform is offered by German daily taz die tageszeitung, German weekly der Freitag, Portuguese weekly Expresso, Danish daily Dagbladet Information as well as the consumer protection organization Foodwatch; in cooperation with OpenLeaks. During this time you can upload documents, which will be worked on by the involved parties.

The goal of this setup is to invite you to do a security evaluation of the system during the Chaos Communication Camp 2011.

Obviously, most of the people at the CC campsite were busy with the many other projects and causes, but some of the people with expertise and experience of whistleblowing website anonymity and security infrastructure, and relations with the mainstream media, were present and may have contributed to the discussions and the preview "testing".

As anybody who has attended these sort of hacker conventions should know, the mere act of putting up a webs server on the campsite network, will mean that it will be "stress tested" in a very hostile network environment, with lots of port scans and probes and attempts to hack into it and run denial of service attacks, but these would also happen if it was hosted at a major data centre.

But that should not be the only proper testing that the system gets before going live, a point on which here we agree with the CCC and which Daniel Domscheit-Berg also probably agrees with.

Endorsement by mainstream media brand names mentioned above provide far more public trust and credibility, whatever that is actually worth regarding a currently non-operational system, than any (non-existent) "CCC" branding or approval.

The CCC have never been known for having any kind of "approved by the CCC" branding or "approval" of computer or telecommunications projects and they are deluding themselves if they think they would ever be trusted internationally if they did so.

The CCC leaders' action (it is a properly registered legal entity with a board of directors, a constitution etc.) now gives the impression of siding with Julian Assange (who was never a member) against Daniel Domscheit-Berg.

As mentioned in his book, Daniel Domscheit-Berg and the other former WikiLeakS.org technical staff defector "the Architect", took away their own intellectual property and thereby disabled the "improved" WikileakS.org submission system

Julian Assange and his cult of supporters have never bothered to replicate even the shaky anonymity and security infrastructure which they were left with or re-launch a different, better, whistleblower leak submission and publication system, despite having plenty of volunteers and money to do so.

The president of the CCC Andy Müller-Maguhn, who some of us once elected to the board of the ICANN which regulates internet domain name registration and appeals procedures, seems to have been trying to mediate between Julian Assange and Daniel Domscheit-Berg for nearly a year over the return of this encrypted data to Julian Assange.

Since there is no evidence that the current WikiLeakS.org team is capable of handling the data securely (their current website does not even bother to use an SSL / TLS Digital certificate any more) they cannot be trusted any more than Daniel Domscheit-Berg can be.

The current OpenLeaks.org project may not yet have published its software as an Open Source project, which is what the purists at the CCC would like, but then neither has WikiLeakS.org nor any other whistleblower website.

Even if they did so, there is no guarantee that the specific computer and networking configuration settings and infrastructure used by a particular website are not actually counteracting any anonymity or security functions built in to the Open Source software.

All that the CCC board needed to do was to issue a press release making it clear that there was no official CCC endorsement of the OpenLeaks.org project.

The breakdown in mediation attempts the CCC may have tried between Julian Assange and Daniel Domscheit-Berg are not proper grounds for expelling the latter from the Club.

Some of the wrongdoers who have something to hide from public scrutiny and might therefore fear the OpenLeaks.org project, will be smiling to themselves at this display of disunity amongst the German section of the tiny minority of people around the world with the technical skills and attitude to make a difference.

Expelling Daniel Domscheit-Berg, without also criticising the current WikiLeakS.org cult, has damaged the reputation of the Chaos Computer Club internationally.

What about the Wau Holland Foundation and OpenLeaks.org ?

The registered charity the Wau Holland Foundation, which is controlled by CCC sympathisers, may not now be available the Openleaks.org project, as a channel for receiving financial donations from supporters, a service it currently performs for WikiLeakS.org.

If OpenLeaks.org gets some money from its media partners, this may not matter too much, but until there is a virtuous circle of whistleblower trust and actual mainstream media publication of leaks via OpenLeaks.org, they will always be short of money.

OpenLeaks.org may still be able to make use of PayPal etc., to receive financial donations from individuals, something which WikiLeakS.org no longer can do, as they have managed to annoy and get banned over the years, due to their lack of financial transparency and their perceived anti-American political bias.

Tags:

The Wired.com Danger Room preview article WikiLeaks Defector Slams Assange In Tell-All Book by Kim Zetter, about Daniel Domscheit-Berg's forthcoming book, seems to confirm many of the suspicions and speculations about the apparent internal rifts within the WikiLeakS.org project, which this blog has commented on over the years.

[...]

WikiLeaks founder Julian Assange lost control of his site's submission system in an internal revolt last fall, and has never regained it, according to a tell-all book penned by the organization's top defector, who accuses Assange of routinely exaggerating the security of the secret-spilling website and lying to the public about the size and strength of the organization.

Although WikiLeaks has claimed for months that its submission system is down due to a backlog of documents it has no time to process, Daniel Domscheit-Berg writes in Inside WikiLeaks that he and a top WikiLeaks programmer seized the submission system when they defected from the organization last September, along with documents in the system at the time.

[...]

Last August, in the wake of rape allegations against Assange as well as criticism that the site had mishandled the names of informants in Afghan documents the site published with media partners, Domscheit-Berg and two WikiLeaks programmers fed up with the way things were being run, staged a halfhearted mutiny. They disabled the WikiLeaks wiki and changed the passwords to the Twitter and e-mail accounts. In response, Assange shut down the whole system, causing the mutineers to cave in. But within weeks, Domscheit-Berg and one of the programmers had left WikiLeaks for good and taken the submission system with them.

They seized the system because they had doubts Assange would handle the documents securely, due to lack of care he had allegedly shown for submissions in the past.

"Children shouldn't play with guns," Domscheit-Berg writes. "That was our argument for removing the submission platform from Julian's control ... We will only return the material to Julian if and when he can prove that he can store the material securely and handle it carefully and responsibly."

The submission system had been recrafted by the programmer, whom Domscheit-Berg refers to only as "the Architect", after he became frustrated with the jerry-built infrastructure Assange, and perhaps others, had set up when Wikileaks launched in December 2006, according to the book. WikiLeaks had been running on a single server with sensitive backend components like the submission and e-mail archives connected to the public-facing Wiki page. The Architect separated the platforms and set up a number of servers in various countries.

In a statement Wednesday, WikiLeaks essentially confirmed Domscheit-Berg's version of why the site's submission system is missing. The organization said the system remains down months after Domscheit-Berg left because his "acts of sabotage" forced the organization to "overhaul the entire submission system" and the staff lacks time to do so.

The statement does not explain why Assange had previously claimed the submission system was down by design to stop an already huge backup of documents from growing even larger.

Domscheit-Berg writes that he and the Architect won't release the unpublished documents and will return them to WikiLeaks once Assange builds a secure system. Noting that the current site has no SSL support, Domscheit-Berg warns that anyone who visits the site to read submission instructions could be monitored.

"The current system has become a security risk for everyone involved," he writes.

Domscheit-Berg told Threat Level in an interview on Sunday that the hijacked leaks only include those submitted since the time the system came back online in July following an outage, and the time it went down permanently. Anything submitted before then, or via other methods, would still be in Assange's possession.

[...]

Domscheit-Berg began working with Assange after meeting him at a hacker conference in Germany in December 2007. Although WikiLeaks claimed to have hundreds of volunteers and an untold number of staffers, the organization consisted essentially of Assange and Domscheit-Berg, who pored through submissions, did little more than simple Google searches to verify documents and posed as non-existent staffers in e-mail and other correspondence to make WikiLeaks seem heftier than it was.

The two were later joined by "the Technician" in 2008 and "the Architect" in 2009, both of whom assumed responsibility for the technological infrastructure, while Assange and Domscheit-Berg handled content and media relations. That is, until internal fighting began in 2009. Initially, the fights were over Assange's lack of transparency in handling donated funds, but eventually encompassed everything from the security of sources and submissions, to Assange's lack of trust in Domscheit-Berg, and Assange's relations with women.

[...]

When journalists asked about problems with WikiLeaks' infrastructure, Domscheit-Berg would purposely confuse them with technobabble. He writes that it was amazing how often their obfuscation strategy worked. "To create the impression of unassailability to the outside world, you only had to make the context as complicated and confusing as possible," he writes. "It was the same principle used by terrorists and bureaucrats. The adversary can't attack as long as he has nothing to grab hold of." The truth was, he notes, their "technical infrastructure was a joke and irresponsible. If someone knew where the server was located they could have shut WL down permanently ... We were acting irresponsibly, playing a risky game with our sources' trust and our supporters' donations."

Until WikiLeaks began working with media partners in 2010, it did little vetting of submissions beyond simple Google searches to see if documents seemed legitimate. This proved to be a problem when someone identified in a Julius Baer document as having a secret Swiss bank account claimed he'd been misidentified. Domscheit-Berg says the source who gave them the documents had also "included some background information he had researched about the bank's clients." But the source had apparently confused a Swiss account holder with a German man who had a similar name. When the German threatened to sue for slander, Assange and Domscheit-Berg added a caveat to the document saying, "according to three independent sources" the information might be false or misleading. The three independent sources, however, didn't exist. Domscheit-Berg says they made them up.

The pressure on WikiLeaks is increasing. DN.se reveals that several key figures behind the website that publishes anonymous submissions and leaks of sensitive governmental, corporate, organizational or religious documents have resigned in protest against the controversial leader Julian Assange only to launch a new service for the so-called whistleblowers. The goal: to leak sensitive information to the public.

The new project, "Openleaks," has been under way for some time and will be launched Monday. DN.se has spoken to individuals behind the new site and the message is clear.

"Our long term goal is to build a strong, transparent platform to support whistleblowers--both in terms of technology and politics--while at the same time encouraging others to start similar projects," says a colleague wishing to remain anonymous.

"As a short-term goal, this is about completing the technical infrastructure and ensuring that the organization continues to be democratically governed by all its members, rather than limited to one group or individual."

The news comes in turbulent times for WikiLeaks. Thousands of documents infuriating global leaders and policy-makers have been unveiled to the public via Cablegate. Meanwhile, Julian Assange has been arrested in Great Britain on suspected rape charges based in Sweden. News about WikiLeaks has been over-shadowed by Assange's personal problems.

Earlier this year, WikiLeaks experienced accessibility issues. According to information revealed to DN.se, the problem was not linked to outsiders trying to sabotage, but came from the inside as a signal to Julian Assange to step down. The colleagues were dissatisfied with the operation's association with Assange's personal problems and how he used the organization in his explanation of the criminal charges.

It is hard to pinpoint exactly which of the technical infrastructure failures in the last year have been due to internal sabotage and feuds within WikiLeakS.org .

It is the top-down management style which is under critique.

On the other hand, the DN.se source emphasizes the fact that the new website is supportive of WikiLeaks purpose and goal.

"The two organizations are similar in that aspect that both are focusing on providing means for whistleblowers to anonymously provide the public with information," one insider says.

Unlike WikiLeaks, Openleaks will not receive and publish information directly for the public eye. Instead, other organizations will access the Openleaks system and in turn, present their audience with the material. Documents will be processed and published by various collaborating organizations.

"We intend to split the work in a way where we handle only the anonymity and receiving end of the information," says another colleague.

This blog will be carefully scrutinising "the anonymity and receiving end of the information"

How will a whistleblower know if their "leak" is likely to get published or not ?

If not, then why would they use OpenLeaks at all ?

Remember that WikiLeakS.org is no longer an option, as they are still refusing to accept any whistleblower leak submissions.

According to the internal documents shared with DN.se, Openleaks intends to establish itself as a neutral intermediary "without a political agenda except from the dissemination of information to the media, the public, non-profit organizations, trade- and union organizations and other participating groups."

That is still a political agenda, albeit perhaps not such an overtly anti - US Government one as WikiLeakS.org mutated into pursuing.

"All editorial control and responsibility rests with the publishing organization. We will, as far as possible, take the role of the messenger between the whistleblower and the organization the whistleblower is trying to cooperate with," says one anonymous informant.

Another intended consequence is to avoid the pressure from world leaders that WikiLeaks has experienced.

"As a result of our intention not to publish any document directly and in our own name, we do not expect to experience the kind of political pressure which WikiLeaks is under at this time. In that aspect, it is quite interesting to see how little of politicians' anger seems directed at the newspapers using WikiLeaks sources."

The German Domscheit-Berg, along with several other former Wikileaks staffers, plans to launch a website they're calling OpenLeaks as early as next week, Domscheit-Berg told Forbes in an interview. Like WikiLeaks, the new site will allow leakers to anonymously submit information to a secure online dropbox. But unlike its parent site, it won't publish that information itself. Instead, it will allow the source to designate any media or non-governmental organizations he or she chooses and have that information passed on for fact-checking, redaction and publication. That difference, argues Domscheit-Berg, will allow OpenLeaks to accomplish much of the transparency achieved by WikiLeaks, without drawing the same political fury and legal pressure.

"To constrain the power of the site, we're splitting submission from the publication part. We won't publish any documents ourselves. The whole field is diversified," says Domscheit-Berg. "No single organization carries all of the responsibility or all of the workload."

Resource constraints, as Assange told me in an interview last month, have forced WikiLeaks to choose only its "highest impact" material for publication. But those constraints have also politicized WikiLeaks and forced it to make subjective decisions about its targets, Domscheit-Berg argues. "We want to be a neutral conduit," he says. "That's what's most politically sustainable as well."

OpenLeaks will integrate with the organizations it passes information to, functioning as a secure tip box on their sites. Those organizations can choose to store leaked information on their own servers or leave it in the hands of OpenLeaks, Domscheit-Berg says. "All this is cryptographically separated in a fashion that everyone has their own dedicated part of the system," he says.

Cryptography, whilst important, is not in itself sufficient to protect the anonymity of whistleblowers.

What protections will there be against Communications Traffic data analysis to protect the individual journalists who may have access, or may be strongly suspected of having access to such leaked material ?

If, for example, someone were to upload some alleged real, life threatening secrets, perhaps a list of names, job tiltles, home addresses, photos , fingerprints, DNA profiles etc. of intelligence or counter-terrorism agency officers or undercover police officers, then how will OpenLeaks protect the identities of individual journalists who had access to cryptographically protected "part of the system" ? Communications Traffic Data analysis (i.e. which computer logged into the system at which time and what size of files were transferred etc.), could identify individual journalists, who might then be put under intrusive surveillance or harassment or arrest, even if the encrypted content could not be read by third parties ?

The project will initially partner with five newspapers worldwide,

Exactly which newspapers ?

but soon expand to anyone who wants to participate. "Newspapers, NGOs, labor unions, anyone who wants to receive information from anonymous sources, we enable all these people to run something like this," says Domscheit-Berg.

And if the recipient organization chooses not to publish a leak? After a time designated by the source, the leaked material can be sent to other media outlets. "If a newspaper doesn't publish it, it will be shared," says Domscheit-Berg. "They can't just put it in a drawer."

This sounds a bit like the failed WikiLeakS.org proposal for charitable funding for "Local" versions of WikiLeakS.org. See the previous blog article:

A few more obvious questions, which should be asked by the swarm of journalists, some of whom may succeed in getting interviews with the OpenLeaks people next week.:

How many, if any, of the OpenLeaks team will declare their involvement and support of the project publicly ? Who are they ?

Will OpenLeaks be less aloof and arrogant and Twitter dependent than WikiLeakS.org ? (Despite having a Wiki and a Website and for a time a "blog" and email as methods of publishing detailed Press releases, WikiLeakS.org favoured short Twitter messages which, for complicated issues, come across as curt and arrogant. These Tweets were mixed with various ad hominem attacks and gripes against opponents)

Which of the several already registered domain names using OpenLeakS / OpenLeak etc . will this new website actually use from Monday ?

Will there be multiple physical mirrors of the content as well as multiple domain name DNS aliases pointing to the main website ?

Will OpenLeaks use secondary and tertiary etc. DNS providers,in different legal jurisdictions, so as not be vulnerable to legal or illegal attacks on a single DNS provider , something which WikiLeakS.org was warned about, but chose to ignore until very recently ?

Will OpenLeaks eschew the stupid WikiLeakS.org policy of "security through obscurity" and embrace Kerckhoffs' Principle ? i.e. "a cryptosystem should be secure even if everything about the system, except the key, is public knowledge."

Will OpenLeaks publish a high level technical / security / anonymity infrastructure architecture overview ? (WikiLeakS.org never did this, relying on buzzwords and names of open source security / anonymity tools which they never properly explained the specific risks of their particular implementation of. They often actually never used (e.g. Freenet) , or stopped using some of these claimed technologies after a while, for no good reason (e.g. the use of PGP encryption / digital signatures.)

Will OpenLeaks actually use a proper SSL/TLS Digital Certificate for https:// encryption, especially of any contact or submission web forms ? (WikiLeakS.org started off ok with one, but failed to replace it when the MD5 digital signature weakness was made public, then failed to renew it, then re-introduced a Digital Certificate for a while, but have now abandoned this again)

Will OpenLeaks publish and use one, or more, Pretty Good Privacy (PGP) public encryption and digital signing keys ? (WikiLeakS.org initially, after some prompting, published a PGP Key, then allowed it to expire after a year and then claimed that they were developing some sort of alternative encrypted email system, which never appeared )

Will OpenLeaks publish a Tor Hidden Service to allow more anonymous file uploads ? (WikiLeakS.org did start off with a Tor Hidden Service option, but abandoned it a year ago, although there was a brief re-appearance of a different one in July)

Will OpenLeaks accept postal submissions and / or financial donations ? (WikiLeakS.org did publish a list of "safe" PO box addresses, including one in Kenya, which they managed to continue publicising for financial donations, even after there was physical a break in to the premises and even after they had inappropriately only used Twitter to warn off some, but not all, people, from using it any longer)

What feedback will there be to an anonymous whistleblower that their submission or communication has actually been successfully received ?

How will OpenLeaks raise any funds ?

What will they do to protect the anonymity of financial contributors ?

What level of financial transparency and auditing of the finances will there be ?

Which media organisations and government agencies will have pre-publication access to the submitted material ?

Why should OpenLeaks be any more trustworthy than WikiLeakS.org ?

Tags:

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

Campaign Button Links

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."